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FEDERAL BUREAU OF INVESTIGATION 


Complaint Form 


FD-71 (Rev. 5-8-10) 





Title: (U) Access Industries, Inc. e-mail Date: 02/10/2015 
intrusion 
Approved my: ЗА] ba 


b6 


b7C 
Case ID .' e] (U) MENDEZ SUPREME TRADES INC. ; 
EMAIL INTRUSION; 


VICTIM: ACCESS INDUSTRIES, INC.; 


= 


Complaint Synopsis: (0) Email intrusion for the purpose of conducting 
unauthorized wire transfers. 








Full Investigation Initiated: 02/10/2015 
Received On: 02/09/2015 

Receipt Method: Іп Person 

Incident Type: Criminal Activity 


Complaint Details: 


On or about December 13, 2014 unknown person(s) logged into the a 


corporate e-mail account| 2221 owned by ACCESS b6 


INDUSTRIES, INC (ACCESS INC)without permission or authority. Bue 


Once logged into the account, the unknown person(s) made 
unauthorized email-handling rule changes to the account. The rule 


changes caused approximately 1,490 emails to be forwarded to an 











identified external email address. The rule also caused emails received 
from MERRILL LYNCH and BANK OF AMERICA to be deleted after being 




















forwarded. 


On or about December 22, 2014 an email was sent to MERRILL LYNCH 
from the ACCESS INC email address. The email requested MERRILL LYNCH 
send a $49,800.60 wire to TD BANK account holder, MENDEZ SUPREME TRADES 
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UNCLASSIFIED 





Titre: (U) Access Industries, Inc. e-mail intrusion 


Е b6 
INC., account mer | b7C 


MERRILL LYNCH requested verbal confirmation from ACCESS INC for the 























wire request. ACCESS INC identified the wire request email as 
unauthorized and alerted MERRILL LYNCH. 




















MERRILL LYNCH cancelled the wire request, resulting in no financial 


losses. 


Entities: 
Access Industries, Inc. (Complainant, Organization, U.S. Person? 
Unknown) 


Location 

Address: 730 fifth Avenue 

City: New York 

State: NY 

Zip Code: 10019 

Country: United States 
Financial Account 

Type: Security 

Institution: Merrill Lynch 

Association: Uses 
Communication Account 

Type: Email 


b7C 


Association: Utilizes 








TD Bank (Reference, Organization, U.S. Person? Unknown) 


Financial Account 


Mendez Supreme Trades Inc. (Reference, Organization, U.S. Person? 
Unknown) 


Location 


Address: 5946 Madison Street 
Apartment 1 


City: Ridgewood 
UNCLASSIFIED 
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b7E 





UNCLASSIFIED 
Title: dustries, Inc. e-mail intrusion 
Re: po 02/10/2015 
State: NY 
Zip Code: 11385 
Country: United States 
Association: Residence 
Communication Account 
Type: Telephone 
Account: 347-232-2882 
Financial Account 
Type: Bank 
b6 


Institution: TD Bank b7C 


Association: Uses 


BANK OF AMERICA (Reference, Organization, U.S. Person? Unknown) 


Financial Account 
MERRILL LYNCH (Reference, Organization, U.S. Person? Unknown) 
Organization Information 

Name: MERRILL LYNCH 

Type: Corporation 


%% 
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FEDERAL BUREAU OF INVESTIGATION 


Date of entry 02/18/2015 





Meeting conducted with representatives of ACCESS INDUSTRIES, INC (ACCESS 
INC) for the purpose of reviewing information regarding a e-mail intrusion 
































and attempted unauthorized wire transfer. Information as follows: 














Meeting was conducted at ACCESS INC, New York, corporate office located 
at 730 Fifth Avenue, New York, New York, 10019. 

















Representatives/Task Force Officer's (TFO) present during meeting are as 
follows: 





access mc [| |) 


ACCESS INC, 


CASALE ASSOCIATES, ыс] 


ESQ. CASALE ASSOCIATES, LLC, Attorney 






Investigator. 


ө TFO JTCTF 
e TRO JTCTF 
ө ТЕО JTCTF 


explained the following events leading to ап 
attempted unauthorized wire request: 


on December 22, 2014 access mw] O | 


received a telephone call from a representative of MERRILL 
LYNCH. The representative requested 


a verbal confirmation for a $49,800.60 


knowing he did not send the request asked the representative to send a copy 

of the email back to his[ 1 email. 2 ЙЛгаісей 

for the email to arrive іп his email inbox. After waiting for a_time 
contacted MERRILL LYNCH and inquired about the email. 

was informed that the email was sent. conducted a search of his 

email account and found the email in the accounts deleted items folder. 











Investigation on 02/09/2015 д New York, New York, United States (Іп Person) 


File # Date drafted 02/12/2015 


wy | g C. ..... 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; it and its contents are not 
to be distributed outside your agency. 
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also notified ACCESS INC 
of the incident. conducted a interna 


email account. found that new email 










review of 

processing rules were created on email account. The rules, 

which were created on or about December 13, 2014, caused emails from ML.COM 

(MERRILL LYNCH) and BANKOFAMERICA.COM (BANK OF AMERICA) to be automatically 
deleted. Additional review by found that all emails sent to 

[ ]vwere being forwarded to an email account identified as 


Both email processing rules were made withut[ ^ f] 


knowledge or permission. 
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On or about December 24, 2014[ Jaisaeiea the unauthorized email 
processing rules.[ |. ]aiso changed his email password to comply with 





a strong password policy. b6 
b7C 


reviewed the email sent to MERRILL LYNCH requesting the wire b7E 
determined that the email was sent directly from 
mailbox hosted at MICROSOFT OFFICE 365 cloud services and 


originated form mL 1 An IP search confirmed that the IP is 


owned by TIME WARNER CABLE. 







transfer. 


[conducted a review of the email attachment sent to MERRILL LYNCH 
on 12/22/2014.[___] determined that the attachment was most likely used 
by for a prior legitimate email wire transfer request. The 
attachment was downloaded from email account on an unknown date b6 
and time. Reviewing metadata lso determined that the legitimate bic 
transfer was modified using MICROSOFT WORD 2013, on 12/22/2014 at 2:28:30 
PM by author "TECHIE". The document was then converted into a PFF using 


Neevia Document Converter Pro v6.7, before being emailed to MERRILL LYNCH. 








[explained that ACCESS INC. is currently using a Hybrid email 
system as the company migrates to a fully cloud based email service 
provided by MICROSOFT 365. ACCESS INC currently manages 100 corporate 
emails, 30 of which are cloud based. The remaining 70 accounts are 
traditional server based emails. [email is cloud based. Login 
information is administrated and documented by MICROSOFT. 


| provided a copies of the following: b6 


b7C 




















EMAIL HEADER (MRRILL LYNCH EMAIL SENT 12/22/2014) 
ATTACHMENT TO MERRILL LYNCH EMAIL 
NOTES REGARDING INCIDENT 


Corporate MICROSOFT accountf | 
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On December 22, 2014 ]has rbceived a call from his Merrill Lynch financial advisor with the 
request to confirm wire transfer from one of his accounts in amount of *$44,5K that was 
allegedly was sent earlier by email. 

as requested a copy of this email to be sent back to him for review. 
After waiting some time and noticing that expected email is not arriving to his Inbox has 
found this email in his Deleted Items folder. He has contacted me with the request to look into 
this situation. b6 
After login remotely id һоте PC and further investigation, we (me ап] һауе ЕТЕ 
determined that number of malicious automatic email processing rules were created in his 
mailbox. These rules were forwarding all messages from ml.com to bankofamerica.com to email 
account at Russian free mobile email service provides ro.ru (Rumbler) and sequentially deleting 
these previously forwarded emails from nbox 
We have disabled these email auto processing rules [|  ]mailbox and he placed a call to his 
Merrill Lynch advisor with the request to forward message in question to my email address as an 
attachment, to preserve metadata. 
After further metadata investigation of said message, we have determined that it was sent 





directly from mailbox hosted at Microsoft Office 365 cloud services and was originated b6 
from IP that resolved t b7C 

b7E 
Based on finding s above password was immediately changed, insuring that it is compliant 
with strong password policy. 
Investigation of forged Wire Transfer Request metadata has reviled that this document was 
created by author “Techie” with Microsoft Word 2013 on 12/22/2014 at 2:28:30 PM and b6 

b7C 


converted into PFF with Neevia Document Converter Pro v 6.7. As pe[ _ ]perpetrators most 
likely have used and modified legitimate Wire Transfer Request that was earlier prepared by him 
and sent to Merrill Lynch for execution. 


OCEAN TERRACE HOLDINGS 
VENDOR PAYMENT AUTHORIZATION & WIRE INSTRUCTIONS 


VENDOR:_MENDEZ SUPREME TRADES INC 


| INVOICE NO.: 1419-09-14 


AMOUNT DUE: $49,800.60 








| VENDOR PAYMENT BY RESPONSIBLE PARTY: _ 









SANDOR SCHER: $4,980.06. 


VENDOR WIRE TRANSFER INFORMATION: 





MENDEZ SUPREME TRADES INC 


c/o TD Bank Bronx,NY 

ABA no 

Account Number 

Ref: Payment of Inv no -09- бог services rendered 


COMPLETED: BY: 


b6 
b7C 


b6 
b7C 


Merrill Lynch 





Please pay by wire the attached invoice for 


1. $44,820.54 (forty-one thousand eight hundred and twenty dollars and 54 
Cents) 


From my credit line. 





b6 


for Ocean Terrace Holdings 
ь7с 


Reference: Fron 


Than 
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FEDERAL BUREAU OF INVESTIGATION 


Import Form 


FD-1036 (Rev. 10-16-2009) 





Form Type: EMAIL Date: 03/03/2015 


Title: (U) Identified victim C MEE b3 
b6 
b7C 

Approved By: SSA Ь7Е 

Case ID #: [27] (0) MENDEZ SUPREME TRADES INC. ; 

EMATL INTRUSION; 


VICTIM: ACCESS INDUSTRIES, INC.; 


























Synopsis: (U) This E-mail serves to document an identified victim in 
the captioned case. A victim notification letter will be mailed to the 
victim. 

%% 


UNCLASSIFIED 


Sent: Monday, March 02, 2015 3:00 PM 
Subject: RE: Recently opened cases --- UNCLASSIFIED 


Classification: UNCLASSIFIED 


NY- b3 
2/10/2015 | СҮ06 Pending b6 


b7C 


552 b7E 
Hell 
in case the victim has been identified as Access Industries ipe, 730 Fifth Avenue, 


New York, NY, 10015 cess Industries Inc. Legal contact information 


nd) 


From] | (NY) (FBI) 


Sent: Thursday, February 26, 2015 12:49 PM 

















b6 
b7C 


Subject: Recently opened cases --- UNCLASSIFIED 


Classification: UNCLASSIFIED 


Good Afternoon, everyone. 
Please find your case below. 
As the Victim Specialist assigned to your squad, | must follow up every month with new possible- 


victim cases to ensure you're in compliance with federal law. In other words, | want to keep you 
off a HO list for non-compliance. 





Please advise if: 

- You have any possible federal crime victims in your case 

- Ifi may send a victim notification letter to the victim(s) 

- If sending a victim notification letter to a known victim would interfere with your 

investigation or the victim's security 
- Ifthe case is classified: 
o Secret 

ЕВІ isn't the lead agency 
The crime was determined to not be a federal offense 
Restricted 
Victim is a government entity 
Other (please explain) 


00000 


Please E-mail me back by Tuesday, March 3. 


Also, | welcome your call if you wish to discuss any victim issues. 


Thank you very much and | hope your week is a good one. 


! b6 
b7C 


Victim Date 
Specialist File # opened Squad Special Agent Status 


15-NY-61 11620 ners 21 ee 
NY- b7c 
1/16/2015 | CYO6 Pending | ьт 
NY- 
2110/2015 | СҮ06 Pending 


2/11/2015 Pending 








MA 
Victim Specialist 


ЕБІ New York/ JFKRA 
desk) 
mobile) 


Classification: UNCLASSIFIED 



































Classification: UNCLASSIFIED 





[ M^ be 


Victim Specialist b7C 


FBI New York/JEKRA pIE 
(desk) 


; b6 
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